When you switch the operation mode, FortiWeb deletes server policies from the configuration file if they are not applicable in the current operation mode. |
Variable | Description | Default |
<policy_name> | Type the name of the policy. The maximum length is 63 characters. To display the list of existing policies, type: edit ? | No default. |
deployment-mode {server-pool | http-content-routing | offline-protection | transparent-servers} | Specify the distribution method that FortiWeb uses when it forwards connections accepted by this policy. • server-pool — Forwards connections to a server pool. Depending on the pool configuration, FortiWeb either forwards connections to a single physical server or domain server or distributes the connection among the pool members. Also configure server-pool <server-pool_name>. This option is available only if the operating mode is reverse proxy mode. • http-content-routing — Use HTTP content routing to route HTTP requests to a specific server pool. This option is available only if the FortiWeb appliance is operating in reverse proxy mode. • offline-detection — Allows connections to pass through the FortiWeb appliance and applies an offline protection profile. Also configure server-pool <server-pool_name>. This is the only option available if operating mode is offline protection. • transparent-servers — Allows connections to pass through the FortiWeb appliance and applies a protection profile. Also configure server-pool <server-pool_name>. This is the only option available when the operating mode is either true transparent proxy or transparent inspection. | No default. |
vserver <vserver_name> | Type the name of a virtual server that provides the IP address and network interface of incoming traffic that FortiWeb routes and to which the policy applies a protection profile. The maximum length is 35 characters. To display the list of existing virtual servers, type: edit ? Available only if the operating mode is reverse proxy. | No default. |
v-zone <bridge_name> | Type the name of the bridge that specifies the network interface of the incoming traffic that the policy applies a protection profile to. The maximum length is 15 characters. To display the list of existing bridges, type: edit ? Available only if the operating mode is true transparent proxy or transparent inspection. | No default. |
data-capture-port <port_int> | Type the network interface of incoming traffic that the policy attempts to apply a profile to. The IP address is ignored. Available only if the operating mode is offline inspection. | |
prefer-current-session {enable |disable} | Enable to forward subsequent requests from an identified client connection to the same server pool as the initial connection from the client. This option allows FortiWeb to improve its performance by skipping the process of matching HTTP header content to content routing policies for connections it has already evaluated and routed. Available only when deployment-mode is http-content-routing. | |
server-pool <server-pool_name> | Type the name of the server pool whose members receive the connections. To display the list of existing servers, type: edit ? This field is applicable only if deployment-mode is server-pool, offline-protection or transparent-servers. Caution: Multiple virtual servers/policies can forward traffic to the same server pool. If you do this, consider the total maximum load of connections that all virtual servers forward to your server pool. This configuration can multiply traffic forwarded to your server pool, which can overload it and cause dropped connections. | No default. |
allow-hosts <hosts_name> | Type the name of a protected hosts group to allow or reject connections based upon whether the Host: field in the HTTP header is empty or does or does not match the protected hosts group. The maximum length is 35 characters. To display the list of existing groups, type: edit ? If you do not select a protected hosts group, FortiWeb accepts pr blocks requests based upon other criteria in the policy or protection profile, but regardless of the Host: field in the HTTP header. Note: Unlike HTTP 1.1, HTTP 1.0 does not require the Host: field. The FortiWeb appliance does not block HTTP 1.0 requests because they do not have this field, regardless of whether or not you have selected a protected hosts group. | No default. |
block-port <port_int> | Type the number of the physical network interface port that FortiWeb uses to send TCP RST (reset) packets when a request violates the policy. The valid range varies by the number of physical ports on the NIC. For example, to send TCP RST from port1, type: set block-port port1 Available only when the operating mode is offline protection. | No default. |
syncookie {enable | disable} | Enable to detect TCP SYN flood attacks. For more information, see the FortiWeb Administration Guide. Available only when the operating mode is reverse proxy or true transparent proxy. | disable |
half-open-threshold <packets_int> | Enter the maximum number of TCP SYN packets, including retransmission, that FortiWeb allows to be sent per second to a destination address. If this threshold is exceeded, the FortiWeb appliance treats the traffic as a DoS attack and ignores additional traffic from that source address. The valid range is from 10 to 10,000 packets. Available only when the operating mode is reverse proxy or true transparent proxy and syncookie is enabled. | 8192 |
service <service_name> | Type the custom or predefined service that defines the port number on which the virtual server receives HTTP traffic. The maximum length is 35 characters. To display the list of existing services, type: edit ? Available only when the operating mode is reverse proxy. | No default. |
https-service <service_name> | Type the custom or predefined service that defines the port number on which the virtual server receives HTTPS traffic. The maximum length is 35 characters. To display the list of existing services, type: edit ? Available only when the operating mode is reverse proxy. (For other operation modes, use the server pool configuration to enable SSL inspection instead.) | No default. |
hsts-header {enable | disable} | Enable to combat MITM attacks on HTTP by injecting the RFC 6797 strict transport security header into the reply, such as: Strict-Transport-Security: max-age=31536000; includeSubDomains This header forces the client to use HTTPS for subsequent visits to this domain. If the certificate does not validate, it also causes a fatal connection error: the client’s web browser does not display any dialog that allows the user to override the certificate mismatch error and continue. Available only if https-service <service_name> is configured. | disable |
hsts-max-age <timeout_int> | Type the time to live in seconds for the HSTS header. Available only if hsts-header {enable | disable} is enabled. The valid range is from 3600 to 31,536,000. | 7776000 |
certificate <certificate_name> | Type the name of the certificate that FortiWeb uses to encrypt or decrypt SSL-secured connections. The maximum length is 35 characters. To display the list of existing certificates, type: edit ? If sni is enable, FortiWeb uses a Server Name Indication (SNI) configuration instead of or in addition to this server certificate. For more information, see sni {enable | disable}. This option is used only if https-service <service_name> is configured. | No default. |
intermediate-certificate-group <CA-group_name> | Type the name of an intermediate certificate authority (CA) group, if any, that FortiWeb uses to validate the CA signing chain in a client’s certificate. The maximum length is 35 characters. To display the list of existing groups, type: edit ? Available only if https-service <service_name> is configured. | No default. |
ssl-client-verify <verifier_name> | Type the name of a certificate verifier, if any, to use when an HTTP client presents their personal certificate. (If you do not select one, the client is not required to present a personal certificate.) If the client presents an invalid certificate, the FortiWeb appliance does not allow the connection. To be valid, a client certificate must: • Not be expired • Not be revoked by either the certificate revocation list (CRL) (see “config system certificate verify”) • Be signed by a certificate authority (CA) whose certificate you have imported into the FortiWeb appliance (see the FortiWeb Administration Guide); if the certificate has been signed by a chain of intermediate CAs, those certificates must be included in an intermediate CA group (see intermediate-certificate-group <CA-group_name>) • Contain a CA field whose value matches the CA certificate • Contain an Issuer field whose value matches the Subject field in the CA certificate Personal certificates, sometimes also called user certificates, establish the identity of the person connecting to the web site. You can require that clients present a certificate alternatively or in addition to HTTP authentication. For more information, see the FortiWeb Administration Guide. The maximum length is 35 characters. To display the list of existing verifiers, type: edit ? This option is used only if https-service <service_name> is configured. The client must support SSL 3.0, TLS 1.0, TLS 1.1, or TLS 1.2. Note: If the connection fails when you have selected a certificate verifier, verify that the certificate meets the web browser’s requirements. Web browsers may have their own certificate validation requirements in addition to FortiWeb requirements. For example, personal certificates for client authentication may be required to either: • not be restricted in usage/purpose by the CA, or • contain a Key Usage field that contains Digital Signature or have a ExtendedKeyUsage or EnhancedKeyUsage field whose value contains Client Authentication If the certificate does not satisfy browser requirements, although it may be installed in the browser, when the FortiWeb appliance requests the client’s certificate, the browser may not display a certificate selection dialog to the user, or the dialog may not contain that certificate. In that case, verification fails. For browser requirements, see your web browser’s documentation. | No default. |
url-cert {enable | disable} | Specifies whether FortiWeb uses a URL-based client certificate group to determine whether a client is required to present a personal certificate. Available only if https-service <service_name> is configured. | disable |
urlcert-group <urlcert-group_name> | Specifies the URL-based client certificate group that determines whether a client is required to present a personal certificate. If the URL the client requests does not match an entry in the group, the client is not required to present a personal certificate. For information on creating a group, see “config system certificate urlcert”. | No default. |
urlcert-hlen | Specifies the maximum allowed length for an HTTP request with a URL that matches an entry in the URL-based client certificate group, in kilobytes. FortiWeb blocks any matching requests that exceed the specified size. This setting prevents a request from exceeding the maximum buffer size. Valid values are from 16 to 128. | No default. |
client-certificate-forwarding {enable | disable} | Enable to include the X.509 personal certificate presented by the client during the SSL/TLS handshake, if any, in an X‑Client‑Cert: HTTP header when forwarding the traffic to the protected web server. FortiWeb still validates the client certificate itself, but this can be useful if the web server requires the client certificate for the purpose of server-side identity-based functionality. | disable |
sni {enable | disable} | Enable to use a Server Name Indication (SNI) configuration instead of or in addition to the server certificate specified by certificate <certificate_name>. The SNI configuration enables FortiWeb to determine which certificate to present on behalf of the members of a pool based on the domain in the client request. See “system certificate sni”. If you specify both a SNI configuration and a certificate, FortiWeb uses the certificate specified by certificate <certificate_name> when the requested domain does not match a value in the SNI configuration. If you enable sni-strict {enable | disable}, FortiWeb always ignores the value of certificate <certificate_name>. Available only if https-service <service_name> is configured. | disable |
sni-strict {enable | disable} | Select to configure FortiWeb to ignore the value of certificate <certificate_name> when it determines which certificate to present on behalf of server pool members, even if the domain in a client request does not match a value in the specified SNI configuration. | disable |
sni-certificate <sni_name> | Type the name of the Server Name Indication (SNI) configuration that specifies which certificate FortiWeb uses when encrypting or decrypting SSL-secured connections for a specified domain. The SNI configuration enables FortiWeb to present different certificates on behalf of the members of a pool according to the requested domain. If only one certificate is required to encrypt and decrypt traffic that this policy applies to, specify certificate <certificate_name> instead. Available only if https-service <service_name> is configured. | No default. |
server-side-sni {enable | disable} | Specifies whether FortiWeb supports Server Name Indication (SNI) for back-end servers that it applies this policy to. Enable this feature when the operating mode is reverse proxy, end-to-end encryption is required, and the back-end web server itself requires SNI support. When the operating mode is true transparent proxy, you enable server-side SNI support using server pool configuration. | disable |
ssl-v3 {enable | disable} | Specifies whether clients can connect securely to FortiWeb using the SSL 3.0 cryptographic protocol. Available only if https-service <service_name> is configured. | enable |
tls-v10 {enable | disable} | Specifies whether clients can connect securely to FortiWeb using the TLS 1.0 cryptographic protocol. Available only if https-service <service_name> is configured. | enable |
tls-v11 {enable | disable} | Specifies whether clients can connect securely to FortiWeb using the TLS 1.1 cryptographic protocol. Available only if https-service <service_name> is configured. | enable |
tls-v12 {enable | disable} | Specifies whether clients can connect securely to FortiWeb using the TLS 1.2 cryptographic protocol. Available only if https-service <service_name> is configured. | enable |
ssl-pfs {enable | disable} | Specifies whether FortiWeb generates a new public-private key pair when it establishes a secure session with a Diffie–Hellman key exchange. Perfect forward secrecy (PFS) improves security by ensuring that the key pair for a current session is unrelated to the key for any future sessions. Available only if https-service <service_name> is configured. | disable |
ssl-cipher {medium | high} | Specify whether the set of cipher suites that FortiWeb allows creates a medium-security or high-security configuration. For details, see “Supported cipher suites & protocol versions” in the FortiWeb Administration Guide. Available only if https-service <service_name> is configured. | medium |
ssl-rc4-first {enable | disable} | Specifies whether FortiWeb uses the RC4 cipher when it first attempts to create a secure connection with a client. This option protects against a BEAST (Browser Exploit Against SSL/TLS) attack, a TLS 1.0 vulnerability. Available only if https-service <service_name> is configured. | enable |
ssl-noreg {enable | disable} | Specifies whether FortiWeb ignores requests from clients to renegotiate TLS or SSL. Protects against denial-of-service (DoS) attacks that use TLS/SSL renegotiation to overburden the server. Available only if https-service <service_name> is configured. | enable |
http-to-https {enable | disable} | Specify enable to automatically redirect all HTTP requests to the HTTPS service with the same URL and parameters. Also configure https-service and ensure service uses port 443 (the default). FortiWeb does not apply the protection profile for this policy (specified by web-protection-profile) to the redirected traffic. Available only when the operation mode is reverse proxy. | disable |
web-protection-profile <profile_name> | Type the name of the web protection or detection profile to apply to connections that this policy accepts. The maximum length is 35 characters. To display the list of existing profiles, type: edit ? | No default. |
waf-autolearning-profile <profile_name> | Type the name of the auto-learning profile, if any, to use to discover attacks, URLs, and parameters in your web servers’ HTTP sessions. The maximum length is 35 characters. To display the list of existing profiles, type: edit ? You can view data gathered using an auto-learning profile in an auto-learning report and use it to generate inline or offline protection profiles. For details, see the FortiWeb Administration Guide. This option appears only if deployment-mode is offline-detection. | No default. |
case-sensitive {enable | disable} | Enable to differentiate uniform resource locators (URLs) according to upper case and lower case letters for features that act upon the URLs in the headers of HTTP requests, such as start page rules, black list rules, white list rules, and page access rules. For example, when enabled, an HTTP request involving http://www.Example.com/ would not match protection profile features that specify http://www.example.com (difference highlighted in bold). | No default. |
comment "<comment_str>" | Type a description or other comment. If the comment is more than one word or contains special characters, surround the comment with double quotes ( " ). The maximum length is 999 characters. | No default. |
status {enable | disable} | Enable to allow the policy to be used when evaluating traffic for a matching policy. Note: You can use SNMP traps to notify you of changes to the policy’s status. For details, see “config system snmp community”. | No default. |
monitor-mode {enable | disable} | Enable to override deny and redirect actions defined in the server protection rules for the selected policy. This setting enables FortiWeb to log attacks without performing the deny or redirect action, and to collect more information to build an auto learning profile for the attack. Disable to allow FortiWeb to perform attack deny/redirect actions as defined by the server protection rules. | disable |
noparse {enable | disable} | Enable this option to apply the server policy as a pure proxy, without parsing the content. In this case, the policy allows all traffic to pass through the FortiWeb appliance without applying any protection rules. See also “debug application http” and “debug flow trace”. This option applies to server policy only when the FortiWeb appliance operates in reverse proxy or true transparent proxy mode. Caution: Use this only during debugging and for as brief a period as possible. This feature disables many protection features. See also config http-parse-error-output {enable | disable} in “config config log attack-log”. | disable |
http-pipeline {enable | disable} | Enable to accelerate transactions by bundling them inside the same TCP connection, instead of waiting for a response before sending/receiving the next request. This can increase performance when pages containing many images, scripts, and other auxiliary files are all hosted on the same domain, and therefore logically could use the same connection. Only GET and HEAD methods are supported. Clients must include the Connection: keep-alive HTTP header and use HTTP 1.1 (not 1.0) in order to trigger FortiWeb to allow pipelined requests and send pipelined responses. This feature is supported only when FortiWeb is operating in reverse proxy or true transparent proxy mode. | disable |
sessioncookie-enforce {enable | disable} | • enable — When FortiWeb maintains session persistence using cookies, it inserts a cookie in subsequent transactions in a session if the transaction does not contain a control cookie. This option is useful if your environment uses TCP multiplexing, which combines HTTP requests from multiple clients in a single session for load balancing or other purposes. • disable — When FortiWeb maintains session persistence using cookies, it tracks or inserts the cookie for the first transaction of a session only. It does not track or insert a cookie in subsequent transactions in the session, even if the transaction does not contain a control cookie. For more information on configuring session persistence, see “config config server-policy persistence-policy”. | disable |
<entry_index> | Type the index number of the individual entry in the table. | No default. |
content-routing-policy-name <content-routing_name> | Type the name of a HTTP content routing policy that this server policy uses. To display the list of existing error pages, type: edit ? | No default. |
is-default {yes | no} | Type yes to specify that FortiWeb applies the protection profile to any traffic that does not match conditions specified in the HTTP content routing policies. | No default. |